An Overview of UAC in Windows Vista

One of the most welcome features in Vista is User Account Control (UAC), formerly called User Account Protection (UAP), and before that, Least-privileged User Account (LUA). The idea behind UAC is to enable users to run their machines as standard users rather than as administrators. Running your machine as a high-privileged administrator is a bad idea since it means any download-and-install from the internet (whether deliberate or otherwise) gets installed and runs using admin credentials. If the software is "mal-intentioned" then you could be in a heap of trouble. Running your machine as a standard (low-privileged) user, on the other hand, means that any software you install and run can do only a limited amount of damage.

Unfortunately, the common experience today with platforms like Windows XP is that it's extremely cumbersome, difficult, and sometimes even impossible for users to run the software they need without admin credentials. (I've written a couple of articles on this that you may want to check out: one is on WindowsNetworking.com and describes the problem and offers a few tips and suggestions, and the other is on WindowSecurity.com and has responses from readers describing their own difficulties and workarounds.) The big hope is that with Vista, users will be able to run the applications they need as standard users rather than as admins, making their machines more secure and easier to support in enterprise environments, and that greater parental control will be provided for home computers to ensure their security as well. Let's take a look at how this will work for both home and enterprise users.

Types of Users

First you need to understand how user accounts and their privileges have changed under Vista. In previous Windows platforms, you had three basic kinds of users local to the machine: Administrators can do just about anything; Power Users can do a few of the things that admins can do but are otherwise like ordinary users; and ordinary Users have only limited privileges to configure the system or install programs. In Vista, however, you now have only two kinds of users: Standard Users who have limited privileges on the machine, and Administrators who also have limited privileges on the machine but who can temporarily elevate their privileges to perform admin-level tasks such as changing system settings or installing apps. There's also the built-in Administrator account, which is special and always has elevated privileges, but the idea is that you'll never have to allow your desktop users to use this account.

So when a Vista user is running as an administrator, for example, and tries to open Local Security Policy (an administrative tool used to view and modify security settings on the local machine) by right-clicking and selecting Run As Administrator, a prompt like this appears:

Figure 1: Elevated privileges are required to run administrative tools.

Clicking Allow opens Event Viewer, because the user is running as an administrator. But if you are logged on as a standard user and you try to open Local Security Policy by right-clicking and selecting Run As Administrator, you get this instead:

Figure 2: An administrator password is required to run administrative tools.

Note that an administrator account has the ability to elevate its privileges, while a standard user requires an administrator to come and enter his password (close your eyes please!) to achieve the same effect. And here lies the first difficulty with how UAC is implemented. Having an administrator provide "over the shoulder" (OTS) credentials like this when needed certainly increases security but it reduces usability. One of the first things many beta testers have said concerning this is, "How do I turn this off?" And some parents are likely to feel frustrated after providing credentials for their children for the umpteenth time and end up turning UAC off entirely (in current builds you can do this using the Tools tab of the msconfig.exe window). But really, isn't there always a tradeoff between security and usability? If the goal of UAC is to make Windows machines more secure, then it's inevitable that this also means that it will make such machines less usable and harder to manage ("Oh no, not again. I'm coming Suzie…") than present Windows platforms. It's half of one and 50 percent of the other.